Cyber Security: User Access Pitfalls, A Case Study Approach
-
Upload
aviva-spectrum -
Category
Business
-
view
384 -
download
1
Transcript of Cyber Security: User Access Pitfalls, A Case Study Approach
1
Cyber Security: User Access PitfallsDec. 10th, 2015
2 House Keeping Items
CPE credit:1) Must answer polling Qs2) Click on Green button (you’re present)3) Complete Feedback form
3
3Compliance Made Simple ™
Today’s PresentersSonia Luna, CEO, Aviva Spectrum
Mrs. Luna CPA, CIA with over 16 Years in public and internal audit professional. Appointed to Smaller & Emerging Companies Advisory Comm. By the SEC. Karla Sasser, Senior Associate, Aviva Spectrum
Mrs. Sasser has over 20 years of finance, accounting and audit experience. Mrs. Sasser is an active CPA, CIA & CITP and has a Master’s in Information Technology. Author of fast selling book “Friggin Bean Counters” sold on Amazon & Barnes and Noble.
4 Agenda
1. Insider Threats vs. External Threats2. State of Affairs: Internal and External Threats3. Case Study Internal Threats4. Cost of a BREACH!5. User Access Rights (Best Practices)6. Sony Breach Lessons Learned7. Cloud Applications (what are “targets”?)8. Home Depot & Target Breach (Lessons Learned)9. Final Q&A
5
POLLING QUESTION?WHERE ARE MOST OF THESE THREATS COMING FROM?
A. INTERNAL (EMPLOYEES, VENDOR ACCESS/SUB-CONTRACTORS)?
B.EXTERNAL THREATS (UNKNOWN HACKER)?
6Disgruntled employees, insiders pose big hacking risk
Some 29% of the survey takers said they were most concerned about the lack of visibility into applications and networks, while 28% said their top concern was insider threats. Both of those concerns relate to how a disgruntled employee, or an insider aligned with criminals, could disrupt a company's network, or steal valuable intellectual property. By contrast, just 14% said financially-motivated hackers worried them most, while 6% cited political hacktivists.
7 Annual reports on – insider threats89% - More at risk from insider threats
8Reuter’s Case StudyEx-Employee & Passwords
9 Editor – 2 months w/access AFTER TERMINATION
Matthew Keys
10 IT Community Comments
11 Polling Question:
What’s your network access password change policy?
A.Expires 1 yearB.Expires every 180 daysC.NEVER EXPIRES (I’m an admin!)
12 Notable IT and Cybersecurity standard setters1. International Organization for Standardization (ISO) 2. International Information Systems Security
Certifications Consortium (ISC2)3. PCI Security Standards Council, LLC (PCI-DSS)4. Committee of Sponsoring Organizations of the
Treadway Commission (COSO)5. ISACA (COBIT)
13 Polling Question?
Which IT Guidance/Frameworks are you predominantly working with now?A. COSO and/or COBITB. ISO and/or ISC2
C. PCI and/or ISOD. Most of the above
14 The Cost of a Data Breach
15 Principle of Least Privilege Access
Defined as the practice of limiting access to the minimal level that will allow normal functioning and is applied to both human and system user access Originated by the US Department of Defense in the 1970’s to
limit potential damage of any accidental or malicious security breach
It is the underlying principle and the predominate strategy used to assure confidentiality within a network
Role-based access, was developed to group users with common access needs, simplifying security
16 Users with Elevated Access
By default systems will process commands based on the level of access the user who initiated the command has.
System and domain administrators pose unique problems within a software application.
Group Description Default user rights
Administrators
Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member. Because this group has full control in the domain, add users with caution.
Access this computer from the network; Adjust memory quotas for a process; Back up files and directories; Bypass traverse checking; Change the system time; Create a pagefile; Debug programs; Enable computer and user accounts to be trusted for delegation; Force a shutdown from a remote system; Increase scheduling priority; Load and unload device drivers; Allow log on locally; Manage auditing and security log; Modify firmware environment values; Profile single process; Profile system performance; Remove computer from docking station; Restore files and directories; Shut down the system; Take ownership of files or other objects.
17 Polling Question
How much does SOX 404 compliance resolve your IT user access concerns?A. A lot, we sleep well at nightB. Some but not enoughC. Very littleD. We haven’t started on user access reviews
18 Number of Cloud Apps a Company is Using
Survey results released by Netskope, July 2014 revealed that On average 508 apps are in use within each enterprise with the top
categories being marketing, human resources, collaboration, storage and finance / accounting
88% of these apps have areas of concern from a security perspective 85% of data is uploaded to apps that enable file sharing 81% of data download occurred in apps with no data at rest encryption 77% of total apps reside and are processed in multi-tenant environments
19 Top Cloud Apps Identified by Netskope
20
As was widely reported, the hackers apparently gained access to Sony’s computer systems by obtaining the login credentials of a high-level systems administrator. Once the credentials were in the hands of the hackers, they were granted “keys to the entire building,” according to a U.S. official.
They hacked into one server that was not well protected, and escalated the attack to gain access to the rest of the network.
Sony’s network was not layered well enough to prevent breaches occurring in one part from affecting other parts. In addition, the password “password” was used in 3 certificates.
A combination of weak passwords, lack of server layering, not responding to alerts or setting up alerts, inadequate logging and monitoring, and lack of Security Education Training and Awareness all contributed to the Sony Breach.
21 Problems with Passwords People, process and technology are all needed to adequately secure a
system When left on their own, people will make the worst security decisions Without any security training, people can be easily tricked into giving up
their passwords Passwords can be insecure
People will choose easily remembered and easily guessed passwords Passwords can be easily broken
Free programs are available on the Internet that can “crack” the password Passwords are inconvenient
Computer generated passwords can be difficult to remember are written down Passwords do not have any authority
Use of a password does not confirm the identity of the user entering the password
22 In 2014, Cox was hacked by "EvilJordie," a member of the "Lizard Squad" hacker collective.
The FCC's investigation found that by posing as a Cox IT staffer, the hacker convinced a Cox customer service representative to enter their account IDs and passwords into a fake website.
Under the terms of the settlement, Cox will pay the fine, identify all victims of the breach, notify them and give them a year of credit monitoring. The agreement also requires Cox to conduct internal system audits, internal threat monitoring, penetration testing and other security measures to prevent further hacks
23 Passwords - Cloud Apps and Remote Contractors Cloud apps and remote contractors represent a significant risk to the
overall security of the company’s information assets because: Cloud apps can be implemented and remote contractors can be engaged
without any knowledge from IT Most companies do not have one central point of authority for cloud apps and
remote contractors There is a general lack of understanding of the scope of work for cloud apps
and remote contractors so elevated access is generally granted without any consideration of the risks
User access cannot be validated against active directory or there are exceptions to the company’s password policy granted
One user account is shared among multiple users
24
25 Single Sign-On and Password Emerging Trends Single sign-on is an authentication process that allows users to enter
one user name and password to access multiple applications they have been given rights to.
Two-factor authentication requires additional factors to establish a users identity such as, a password and a pin number, a password and a fingerprint, retina scan and a fingerprint, etc.
Establishing complex user names, such as K$@ssEr Establishing meaningful, easy to remember complex passwords
t3chRock$ or $omething2about!
26
26Compliance Made Simple ™
Community & Sharing
User Access Rights Webinar
Join Our LinkedIn GroupCOSO Framework Discussion &
Webinars
https://www.linkedin.com/groups/COSO-Implementation-4888186/about
Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework.
Share your latest templates here!
27
27Compliance Made Simple ™
Community & Sharing
User Access Rights Webinar
LinkedIn Group: Friggin’ Bean Counters
https://www.linkedin.com/groups/6985169
28 Chat TIME?
Does your organization have a PROVEN SYSTEM in monitoring it’s user access policies?
29 System Best practices
Monthly
QuarterlyAnnual
Weekly
UserAccess
Controls
30Compliance Made Simple ™
User Access Procedure Diagnostic
Email us for 5 SPOTS ONLY: [email protected]
SUBJECT: USER ACCESS
Internal Threat
AnalysisBenchmar
kIn-take
31
31Compliance Made Simple ™
Aviva Spectrum is HIRING
1. SOX 404 – Senior Internal Auditors2. IT auditors3. SEC Reporting Managers4. Cyber security consultants
Email:
User Access Rights Webinar
Questions?32
33
33Compliance Made Simple ™
Speaker Contacts
Sonia Luna, CEO, Aviva Spectrum CONNECT: www.linkedin.com/in/sonialuna EMAIL: [email protected] PHONE: (424) 625-0241
Karla Sasser, Senior Associate, Aviva Spectrum CONNECT: www.linkedin.com/in/karlasasser EMAIL: [email protected] PHONE: (818)384-8846